Shorewall users - Nov 2011 - shorewall bridging firewall set up

Hello everyone,

i''d like to set up shorewall as a bridging firewall. I''ve got
a shorerwall management server and 2 shorewall lite servers.  Version 4.24-1
The shorewalllite servers have 3 interfaces:
Eth2 dmz
Eth0 internet
Eth1 loc

I created a bridge and added interface eth0+eth1.

I''d like to filter/restrict the traffic through the bridge.
Now my question is:

Do I need shorewall-perl for this?  Where can I download shorewall-perl? I alrdy
searched through some download mirrors on shorewall.net but didn''t find
shorewall-perl...

Can I filter through the bridge with shorewall + shorewall lite, too ?

I already installed bridge-utils, etc.  I only don''t know how to
configure shorewall for bridiging firewall support.
Can I use this tutorial, even I don''t use shorewall-perl?
http://www.shorewall.net/bridge-Shorewall-perl.html

If I start the command: "shorewall load firewall1" on my  shorewall
manage server. It starts compiling, but give me 2 errors:
First in shorewall.conf:
Bridging=YES is not supported in shorewall 4.x.x
I googled this error and was linked to: 
http://www.shorewall.net/bridge-Shorewall-perl.html

That''s why I ask you: do I need shorewall-perl for bridiging firewall
support and where can I dpownload it?

As I commented the Bridging=yes out I received another error in
"hosts"
ERROR: invalid IP Address (eth0) at line 132

That''s the line:
net         br0:eth0

I''d really appreciate any given support !

Best Regards

Alex




------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1

On Nov 14, 2011, at 10:40 PM, <Alexander.Eck@Heidelberg.de>
<Alexander.Eck@Heidelberg.de> wrote:
> 
> i’d like to set up shorewall as a bridging firewall. I’ve got a shorerwall
management server and 2 shorewall lite servers.  Version 4.24-1
Presumably, you mean 4.4.24-1?
> The shorewalllite servers have 3 interfaces:
> Eth2 dmz
> Eth0 internet
> Eth1 loc
>  
> I created a bridge and added interface eth0+eth1.
>  
> I’d like to filter/restrict the traffic through the bridge.
> Now my question is:
>  
> Do I need shorewall-perl for this?  Where can I download shorewall-perl? I
alrdy searched through some download mirrors on shorewall.net but didn’t find
shorewall-perl…
>From http://www.shorewall.net/FAQ.htm
(FAQ 14) I can''t find the Shorewall 4.4 shorewall-common,
shorewall-shell and shorewall-perl packages? Where are they?

Answer:In Shorewall 4.4, the shorewall-shell package was discontinued. The
shorewall-common and shorewall-perl packages were combined to form a single
shorewall package.
 
>  
> Can I filter through the bridge with shorewall + shorewall lite, too ?
Yes.
>  
> I already installed bridge-utils, etc.  I only don’t know how to configure
shorewall for bridiging firewall support.
> Can I use this tutorial, even I don’t use shorewall-perl?
http://www.shorewall.net/bridge-Shorewall-perl.html
If you have Shorewall 4.4.24, then you have Shorewall-perl as mentioned
above.
>  
> If I start the command: “shorewall load firewall1” on my  shorewall manage
server. It starts compiling, but give me 2 errors:
> First in shorewall.conf:
> Bridging=YES is not supported in shorewall 4.x.x
> I googled this error and was linked to: 
http://www.shorewall.net/bridge-Shorewall-perl.html
Which is the correct HOWTO.
>  
> That’s why I ask you: do I need shorewall-perl for bridiging firewall
support and where can I dpownload it?
>  
> As I commented the Bridging=yes out I received another error in “hosts”
> ERROR: invalid IP Address (eth0) at line 132
>  
> That’s the line:
> net         br0:eth0
>  
> I’d really appreciate any given support !
Simply follow the instructions at
http://www.shorewall.net/bridge-Shorewall-perl.html.

-Tom

Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1

Hi Tom,

thanks for your reply. Yes i Meant 4.4.24. I got a bit confused with shorewall
and shorewall-perl  but i guess i now get it.

But I''m actually getting another error:

I''m running Centos 5.7 with iptables 1.3.5 
And while compiling on the management system with the command:
Shorewall load firewallDNSname

I receive the error:
ERROR:  Your iptables is not recent enough to support bridge ports :
/opt/shwallexport/fw01/interface (line 233)

So I tried the same setup with Centos 6 with iptables 1.4.7
And I receive the same error.

I Configured like mentioned here: 
http://www.shorewall.net/bridge-Shorewall-perl.html.

You''ve got any idea on that issue ?

Best Regards

Alex

-----Ursprüngliche Nachricht-----
Von: Tom Eastep [mailto:teastep@shorewall.net] 
Gesendet: Dienstag, 15. November 2011 15:08
An: Shorewall Users
Betreff: Re: [Shorewall-users] shorewall bridging firewall set up


On Nov 14, 2011, at 10:40 PM, <Alexander.Eck@Heidelberg.de>
<Alexander.Eck@Heidelberg.de> wrote:
> 
> i''d like to set up shorewall as a bridging firewall. I''ve
got a
> shorerwall management server and 2 shorewall lite servers.  Version 
> 4.24-1
Presumably, you mean 4.4.24-1?
> The shorewalllite servers have 3 interfaces:
> Eth2 dmz
> Eth0 internet
> Eth1 loc
>  
> I created a bridge and added interface eth0+eth1.
>  
> I''d like to filter/restrict the traffic through the bridge.
> Now my question is:
>  
> Do I need shorewall-perl for this?  Where can I download 
> shorewall-perl? I alrdy searched through some download mirrors on 
> shorewall.net but didn''t find shorewall-perl.
>From http://www.shorewall.net/FAQ.htm
(FAQ 14) I can''t find the Shorewall 4.4 shorewall-common,
shorewall-shell and shorewall-perl packages? Where are they?

Answer:In Shorewall 4.4, the shorewall-shell package was discontinued. The
shorewall-common and shorewall-perl packages were combined to form a single
shorewall package.
 
>  
> Can I filter through the bridge with shorewall + shorewall lite, too ?
Yes.
>  
> I already installed bridge-utils, etc.  I only don''t know how to
configure shorewall for bridiging firewall support.
> Can I use this tutorial, even I don''t use shorewall-perl? 
> http://www.shorewall.net/bridge-Shorewall-perl.html
If you have Shorewall 4.4.24, then you have Shorewall-perl as mentioned
above.
>  
> If I start the command: "shorewall load firewall1" on my 
shorewall manage server. It starts compiling, but give me 2 errors:
> First in shorewall.conf:
> Bridging=YES is not supported in shorewall 4.x.x I googled this error 
> and was linked to:  
> http://www.shorewall.net/bridge-Shorewall-perl.html
Which is the correct HOWTO.
>  
> That''s why I ask you: do I need shorewall-perl for bridiging
firewall support and where can I dpownload it?
>  
> As I commented the Bridging=yes out I received another error in
"hosts"
> ERROR: invalid IP Address (eth0) at line 132
>  
> That''s the line:
> net         br0:eth0
>  
> I''d really appreciate any given support !
Simply follow the instructions at
http://www.shorewall.net/bridge-Shorewall-perl.html.

-Tom

Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1

On Tue, 2011-11-15 at 14:29 +0000, Alexander.Eck@Heidelberg.de wrote:
> But I''m actually getting another error:
> 
> I''m running Centos 5.7 with iptables 1.3.5 
> And while compiling on the management system with the command:
> Shorewall load firewallDNSname
I really recommend running ''shorewall check .'' until you get
the
configuration clean.
> 
> I receive the error:
> ERROR:  Your iptables is not recent enough to support bridge ports :
/opt/shwallexport/fw01/interface (line 233)
You generate the capabilities file on the *firewall* system, and it is
that system''s iptables that is missing the "Repeat match"
capability. In
the capabilities file, it is listed as KLUDGEFREE.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1

Thanks Tom,

after copying the correct capabilities file everything works just fine!

Greetings Alex

-----Ursprüngliche Nachricht-----
Von: Tom Eastep [mailto:teastep@shorewall.net] 
Gesendet: Dienstag, 15. November 2011 15:44
An: Shorewall Users
Betreff: Re: [Shorewall-users] shorewall bridging firewall set up

On Tue, 2011-11-15 at 14:29 +0000, Alexander.Eck@Heidelberg.de wrote:
> But I'm actually getting another error:
> 
> I'm running Centos 5.7 with iptables 1.3.5 And while compiling on the 
> management system with the command:
> Shorewall load firewallDNSname
I really recommend running 'shorewall check .' until you get the
configuration clean.
> 
> I receive the error:
> ERROR:  Your iptables is not recent enough to support bridge ports : 
> /opt/shwallexport/fw01/interface (line 233)
You generate the capabilities file on the *firewall* system, and it is that
system's iptables that is missing the "Repeat match" capability.
In the capabilities file, it is listed as KLUDGEFREE.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Hi Tom and everyone,

After creating the capabilities file (KLUDGEFREE=yes)Compiling shorewall now
works fine, but my two shorewall-lite servers seem to just ignore all rules and
the policys.

Setup as follows:

Br0 with interface eth0(net) and eth1(loc) 
Eth2 (dmz)

Br0 has no IP

Entries in file interfaces.


#ZONE   INTERFACE       BROADCAST       OPTIONS
pub     br0     -       bridge
net     br0:eth0
loc     br0:eth1
dmz     eth2    detect


Entries in file: zones:

#ZONE   TYPE            OPTIONS         IN                      OUT
#                                       OPTIONS                 OPTIONS
fw      firewall
pub     ipv4
net:pub bport4
loc:pub bport4
dmz     ipv4


Some entries from file rules:
ACCEPT  dmz     fw      udp     161
ACCEPT  dmz     fw      tcp     1311
ACCEPT  net     loc     udp     8116
ACCEPT  net     loc     tcp     80,443,8080
ACCEPT  net     loc     ESP


I connected a laptop on port eth0 (net) and another laptop on port eth1 . I
tried to connect to some ports from net to loc that should get dropped, but they
get accepted.

I already took a look on the shorewall-lite servers in the log files with
"shorewall show log.
The only content I receive is:

Shorewall Lite 4.4.24.1 Log (/var/log/messages) at shwall01 - Mi 16. Nov
09:58:00 CET 2011

Counters reset Mi 16. Nov 09:46:03 CET 2011


Any idea on this ?

Best Regards

Alex


-----Ursprüngliche Nachricht-----
Von: Alexander.Eck@Heidelberg.de [mailto:Alexander.Eck@Heidelberg.de] 
Gesendet: Dienstag, 15. November 2011 16:12
An: shorewall-users@lists.sourceforge.net
Betreff: Re: [Shorewall-users] shorewall bridging firewall set up

Thanks Tom,

after copying the correct capabilities file everything works just fine!

Greetings Alex

-----Ursprüngliche Nachricht-----
Von: Tom Eastep [mailto:teastep@shorewall.net]
Gesendet: Dienstag, 15. November 2011 15:44
An: Shorewall Users
Betreff: Re: [Shorewall-users] shorewall bridging firewall set up

On Tue, 2011-11-15 at 14:29 +0000, Alexander.Eck@Heidelberg.de wrote:
> But I'm actually getting another error:
> 
> I'm running Centos 5.7 with iptables 1.3.5 And while compiling on the 
> management system with the command:
> Shorewall load firewallDNSname
I really recommend running 'shorewall check .' until you get the
configuration clean.
> 
> I receive the error:
> ERROR:  Your iptables is not recent enough to support bridge ports : 
> /opt/shwallexport/fw01/interface (line 233)
You generate the capabilities file on the *firewall* system, and it is that
system's iptables that is missing the "Repeat match" capability.
In the capabilities file, it is listed as KLUDGEFREE.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

On Wed, 2011-11-16 at 09:23 +0000, Alexander.Eck@Heidelberg.de wrote:
> 
> I connected a laptop on port eth0 (net) and another laptop on port eth1 . I
tried to connect to some ports from net to loc that should get dropped, but they
get accepted.
> 
> I already took a look on the shorewall-lite servers in the log files with
"shorewall show log.
> The only content I receive is:
> 
> Shorewall Lite 4.4.24.1 Log (/var/log/messages) at shwall01 - Mi 16. Nov
09:58:00 CET 2011
> 
> Counters reset Mi 16. Nov 09:46:03 CET 2011
> 
> 
> Any idea on this ?
Please forward the output of ''shorewall-lite dump'' collected
on the
firewall.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1